{
pkgs,
lib,
inputs,
configVars,
...
}: let
pubKeys = lib.filesystem.listFilesRecursive ../../users/keys;
containerName = "sm-worker";
sops-nix = inputs.sops-nix;
semitamapsData = configVars.locations.semitamapsData;
containerIp = configVars.networking.addresses.sm-worker.ip;
gatewayIp = configVars.networking.addresses.gateway.ip;
arion = inputs.arion;
in {
networking.nat.enable = true;
networking.nat.internalInterfaces = ["ve-+"];
networking.nat.externalInterface = "br0";
environment.persistence."/persist" = {
hideMounts = true;
directories = [
"/var/lib/nixos-containers/${containerName}"
];
};
services.restic.backups = {
daily = {
paths = [
semitamapsData
];
};
};
containers."${containerName}" = {
enableTun = true;
# configuration to run docker/podman in systemd-nspawn container
# https://discourse.nixos.org/t/podman-docker-in-nixos-container-ideally-in-unprivileged-one/22909/12
additionalCapabilities = [
''all" --system-call-filter="add_key keyctl bpf" --capability="all''
];
extraFlags = ["--private-users-ownership=chown"];
allowedDevices = [
];
######
autoStart = true;
privateNetwork = true;
hostBridge = "br0";
nixpkgs = pkgs.path;
bindMounts = {
"/etc/ssh/ssh_host_ed25519_key" = {
hostPath = "/etc/ssh/ssh_host_ed25519_key";
isReadOnly = true;
};
"/data/semitamaps-data" = {
hostPath = semitamapsData;
isReadOnly = false;
};
};
config = {
pkgs,
lib,
...
}: let
secretsDirectory = builtins.toString inputs.nix-secrets;
secretsFile = "${secretsDirectory}/secrets.yaml";
in {
networking = {
defaultGateway = "${gatewayIp}";
interfaces.eth0.ipv4.addresses = [
{
"address" = "${containerIp}";
"prefixLength" = 24;
}
];
firewall = {
enable = true;
allowedTCPPorts = [
2322
8080
8081
];
};
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
sops = {
defaultSopsFile = "${secretsFile}";
validateSopsFiles = false;
age = {
sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
};
};
imports = [
sops-nix.nixosModules.sops
arion.nixosModules.arion
../arion-containers/semitamaps-tileserver.nix
];
environment.systemPackages = [
pkgs.vim
pkgs.git
pkgs.arion
pkgs.podman-compose
pkgs.jdk
];
virtualisation = {
podman = {
enable = true;
dockerSocket.enable = true;
defaultNetwork.settings.dns_enabled = true;
dockerCompat = true;
};
};
networking.firewall.interfaces."podman+".allowedUDPPorts = [53];
systemd.services.photon = {
wantedBy = ["multi-user.target"];
after = ["network.target"];
description = "Photon Service";
path = ["/run/current-system/sw"];
serviceConfig = {
WorkingDirectory = "/data/semitamaps-data/photon";
ExecStart = pkgs.writeShellScript "photon" ''
java -jar photon-*.jar -cors-any
'';
Restart = "on-failure";
};
};
services.prometheus = {
exporters = {
node = {
enable = true;
enabledCollectors = ["systemd"];
openFirewall = true;
};
};
};
services.openssh = {
enable = true;
settings.PasswordAuthentication = false;
};
users.users = {
root = {
openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);
};
};
system.stateVersion = "24.05";
};
};
}